Thanks for your help. heper. I just got a phone call from my ISP, the problem is within their network and trying to fix this asap.

Yes, IPSec or OpenVPN would connect when there was traffic to the remote site.

Bridge….. Duh, nevermind the previous request, I assumed (I know, I know.....) that PFSense would act like a switch without bridging enabled.

I hadn't noticed the dhcp log before so that was a useful pointer. Not sure what I changed but I finally managed to get pfSense working as a PXE Server so I'm very pleased with that. It seems pretty straightforward in retrospect :)

Counter-intuitively, DHCP makes things much easier and more controllable. That way all your PCs get the same DNS servers, gateway, time server and everything else. More importantly if you want to change something globally like a subnet, then change it once and DHCP will handle it all in conjunction with DNS.  However I am talking about a real DHCP server, not the cut down abominations in most home routers.

You're obviously not running your 'du' command from root. Try the following: du -hd1 / This will give you an idea of where the space issue is occurring. My bet is /var/log, although you haven't said whether you have any packages installed (NTop can use up disk space quite quickly depending on traffic volumes).

Just like HTTPS, the cost of the encryption is borne by the end-points that terminate the connections. If the VPN is done by the clients through the firewall/router, it doesn't cause any additional load. They're just packets.

Thanks again, for your most recent comments….much appreciated! I will go ahead and implement your suggestions. So, I just received the wireless card, stuck it in the pfSense box, and voila, it seems to get recognized pretty well. Other than assigning the interface to OPT2, I haven't done anything with it as yet (still have to figure out how to setup the pfSense box as a router). Alongwith the wireless card I had also ordered a second "StarTech 1-Port 10/100/1000Mbps PCI Ethernet Card - Model #: ST1000BT32", which I also stuck into the pfSense box at the same time. Assigned OPT1 to this interface. The cost of each of these cards is approx. $15....so I've invested #30 for the 2 cards. I know it's a cheaper option, but would it be wise to stick with these 2 cards (having spent just $30) versus purchasing a used HP 4-port card for $48  + tax + shipping (approx. $60) from eBay? In other words, would I ever need 5 gigabit ports (as opposed to just 3), and also bear in mind that these 2 single port cards are just PCI (not PCIe), whereas the used HP card is PCIe. Would that make a big difference, and therefore would make more sense for me to pay more and just buy the 4-port card?

I'm not sure how to tell what is visible from the outside world. Look at your firewall rules on the WAN tab.  That's what is visible to the outside world.

Yeah, that works for one AP.

Yeah because when you're bridging you have to get everything just right. Because you're trying to use a router as a switch, you might have to tell the filter to let traffic into an interface for the same subnet if you built the bridge wrong. Just get a switch. A $24 one from Fry's will be better than a bridge. Complete waste of a good router interface.

Well, I seem to have it working. I'll have to get a sanity check on my firewall rules for all my networks later this week. Since the two auxiliary APs get turned off when not in use they aren't exactly a security risk all the time.

It would be equal. pfSense allows by default any traffic from LAN to WAN, but no one from WAN to LAN. A consumer router does the same, unless there is no "service port" opened or something like that. You should take a look at the configuration to be on the safe side.

Thanks for your help but need to cut my losses and resetting to factory. I may have made a setting change along the way that's causing the issue. If not, this will help me narrow down my problem anyway.

How can a VPN get real world throughput of 125Mbit/s on a 100Mbit/s capped connection? My ISP most of time gives you a bit room over the cap. As can be seen when openvpn is off. Why would your speedtest server not be in area of your exit point? Chicago is the vpn exit point. more than 400 miles away from me. The test without openvpn was with a local server. That is why I cut that part away. Are you using UDP or TCP?  What cipher? etc.. UDP and ase-128-cbc And then check it going through the vpn I did not do a traceroute, but I always do DNS leak test making sure my IP is the IP as the VPN provider's IP, in this case the Chicago. If you really want to test then you need to make sure everything is same other than changing version I know this is not scientific testing. However, all the tests I ran were done with exactly the same setting and in the same way. I understand it will vary. But i have been consistently getting better result with this version. I am not the only one observed this. Here is another thread reporting vpn speed drop after upgrading from 2.1.5 to 2.2.2. https://forum.pfsense.org/index.php?topic=88758.msg490684#msg490684

Sincere apologies for the late response, The device is not yet in production, so i will test disabling the FreeRadius and again disabling the admin account and test SSH, will let you know the outcome. Thanks for your support it is appreciated. Regards Darren

https://doc.pfsense.org/index.php/Main_Page These?

ESX has a minimal performance hit. You won't notice it so long as you don't overload it. You don't need pfsense and Sophos UTM. They each have their strengths and weaknesses, but trying to use both would be complicated. You don't need a LAGG capable switch to use multiple physical NICs in an ESX box. You can configure ESX so that it keeps the same virtual machine MAC address associated with the same physical NIC. That way, a non-LAGG switch sees the same MAC addresses on the same ports and doesn't get unhappy. I may be wrong, but I think that is actually the default (I haven't looked for a while). With the setup you describe, you don't need multiple ports anyway. Your clients only hit the ESX box to hit the Internet, and you are limited to way less than gigabit speed there anyway. You clients will talk directly to each other, so you don't need high bandwidth to ESX/pfsense for that. Don't worry about the two unused NIC ports. Trying to force them into use won't make anything perform better, and will just make things more complicated.